Privacy policy

Privacy Policy

What we know about you, why we know it, and what we do with it. All of it.

§ 1 — who we are and why this document exists

The Controller

This Privacy Policy explains how Underperform collects, uses, stores, and protects your personal data when you visit weunderperform.com or place an order with us. It is written in compliance with the EU General Data Protection Regulation (GDPR — Regulation 2016/679) and the Bulgarian Personal Data Protection Act (Закон за защита на личните данни).

The data controller — meaning the entity responsible for your personal data — is:

Company: Subscription Box Ltd.
Address: Bulgaria, 1220 Sofia, 5, Chudomir Str., fl. 5, ap. 21
UIC: 204684672
Email: oops@weunderperform.com

We do not have a dedicated Data Protection Officer, as we are not required to appoint one under Article 37 GDPR. If you have any data-related questions, contact us directly at the email above. We will handle it personally.

§ 2 — what data we collect and why

The Full Picture

We collect only what we genuinely need. Below is a complete account of every category of personal data we process, the purpose for processing it, and the legal basis under GDPR Article 6.

Data Purpose Legal basis
Name, delivery address, email, phone number Fulfilling and delivering your order; communicating about it Art. 6(1)(b) — contract performance
Payment information Processing your payment securely Art. 6(1)(b) — contract performance
Order history and transaction records Legal accounting and tax obligations Art. 6(1)(c) — legal obligation
Email address (marketing) Sending you newsletters or promotional emails, only if you opt in Art. 6(1)(a) — consent
IP address, browser type, pages visited Website analytics, security, and improving performance Art. 6(1)(f) — legitimate interest
Support correspondence Resolving complaints and customer service queries Art. 6(1)(b) — contract performance

We do not collect sensitive personal data (health, religion, ethnicity, political views, etc.). We sell t-shirts. We have no legitimate reason to know anything beyond what is listed above.

§ 3 — how we collect your data

Where It Comes From

We collect your personal data in the following ways:

  • Directly from you — when you place an order, create an account, contact us, or sign up for our newsletter.
  • Automatically — when you browse our Website, we collect technical data such as your IP address, browser type, and pages visited via cookies and analytics tools. See § 9 for our cookie policy.
  • From third parties — our payment processor shares transaction confirmation data with us; our print-on-demand partner shares fulfilment status updates.
§ 4 — who we share your data with

Third Parties Involved

We do not sell your personal data. We do not trade it, rent it, or share it with anyone who does not need it to help us run this business. The third parties we work with are:

  • Print-on-demand partner — receives your name and delivery address to produce and ship your order. They process this data as a data processor on our behalf.
  • Payment processor — receives your payment details to process transactions securely. They operate under their own GDPR-compliant terms.
  • Shipping carriers — receive your name and delivery address to deliver your parcel.
  • Website and analytics platform — (e.g. Shopify, Google Analytics) collects technical usage data as described in § 9.
  • Email marketing platform — stores your email address if you have opted in to marketing communications.

Where any of these processors are located outside the EU/EEA, we ensure appropriate safeguards are in place — such as Standard Contractual Clauses — as required by GDPR Chapter V.

We may also disclose your data to competent authorities if required by law. We will not do so voluntarily or enthusiastically.

§ 5 — how long we keep your data

Retention Periods

We keep your data only for as long as necessary. Here is what that means in practice:

Data category Retention period Reason
Order and transaction data 5 years after the order Bulgarian accounting and tax law obligation
Delivery address and contact details Until the order is fulfilled and the return window closed, then deleted Contract performance
Customer account data Until you delete your account or request erasure Account maintenance
Marketing email subscription Until you unsubscribe or withdraw consent Consent-based — you can withdraw at any time
Support correspondence 3 years after resolution Legitimate interest in record-keeping
Website analytics data 6 months, anonymised after that Legitimate interest in site improvement
§ 6 — your rights under gdpr

What You Are Entitled To

Under the GDPR, you have the following rights regarding your personal data. All of them are real, all of them apply to you, and none of them require a lawyer to exercise.

Right of access

You can ask us what personal data we hold about you and receive a copy of it. Art. 15 GDPR.

Right to rectification

If your data is inaccurate or incomplete, you can ask us to correct it. Art. 16 GDPR.

Right to erasure

You can ask us to delete your personal data where there is no compelling reason to keep it. Art. 17 GDPR. Also known as the right to be forgotten.

Right to restriction

You can ask us to limit how we use your data while a dispute is being resolved. Art. 18 GDPR.

Right to portability

You can ask for your data in a structured, machine-readable format and transfer it elsewhere. Art. 20 GDPR.

Right to object

You can object to processing based on legitimate interest, including profiling. Art. 21 GDPR.

Right to withdraw consent

Where processing is based on consent (e.g. marketing emails), you can withdraw it at any time. Art. 7(3) GDPR.

Right to lodge a complaint

You can complain to the Bulgarian Commission for Personal Data Protection (CPDP) at cpdp.bg, or to the supervisory authority in your country of residence.

To exercise any of these rights, contact us at sorry@weunderperform.com. We will respond within 30 days, as required by GDPR Article 12. If the request is complex, we may extend this by a further two months — but we will tell you if that is the case, and why.

We will not charge you for exercising your rights. We will not make it difficult. We will not pretend we didn't receive your email.

§ 7 — data security

How We Protect Your Data

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, loss, alteration, or disclosure. This includes encrypted connections (HTTPS), restricted internal access to personal data, and use of reputable third-party processors who maintain their own security standards.

No system is entirely secure — including ours. In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the Bulgarian Commission for Personal Data Protection within 72 hours and inform affected individuals without undue delay, as required by GDPR Articles 33 and 34.

If that ever happens, we will be the first to admit it. Loudly.

§ 8 — children's data

Minimum Age

Our Website and products are not directed at children under 16. We do not knowingly collect personal data from anyone under 16. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.

§ 9 — cookies

The Small Files

Our Website uses cookies — small text files placed on your device. We use them for the following purposes:

  • Strictly necessary cookies — required for the Website to function (e.g. keeping your cart intact, maintaining your session). These cannot be switched off. No consent required.
  • Analytics cookies — help us understand how visitors use the Website so we can improve it. Used only with your consent.
  • Marketing cookies — used to show you relevant advertising on other platforms. Used only with your explicit consent.

When you first visit our Website, you will be presented with a cookie consent banner. You can manage or withdraw your cookie preferences at any time via the cookie settings link in the footer.

We do not use cookies to track you across the internet for purposes unrelated to running this shop. You came here for a t-shirt. We have no interest in following you around afterwards.

§ 10 — automated decision-making

Are Robots Making Decisions About You

No. We do not use automated decision-making or profiling in any way that produces legal effects or significantly affects you. Your order is processed by a human being — or at least a human being is nominally in charge of the process. We are not that sophisticated.

§ 11 — changes to this policy

When This Document Changes

We may update this Privacy Policy from time to time — for example, if we add a new service, change a processor, or if the law requires it. The current version will always be available on this page, with the date it was last updated.

For significant changes that affect how we use your data, we will notify you by email if you have an account or an active subscription. We will not bury the change in an update you are unlikely to read. That would be exactly the kind of thing we find distasteful when other companies do it.

§ 12 — supervisory authority

Your Right to Complain

If you believe we have handled your personal data unlawfully, you have the right to lodge a complaint with the competent supervisory authority. In Bulgaria, this is:

Authority: Commission for Personal Data Protection (КЗЛД)
Address: 2 Prof. Tsvetan Lazarov Blvd., Sofia 1592, Bulgaria
Website: cpdp.bg
Email: kzld@cpdp.bg

If you are resident in another EU member state, you may also complain to the supervisory authority in your country. We hope it never comes to that. Please email us first.

This Privacy Policy was last updated on . For any questions about how we handle your data, contact oops@weunderperform.com. We take this seriously. Perhaps more seriously than anything else we do.